diff --git a/x-pack/platform/plugins/private/telemetry_collection_xpack/schema/xpack_security.json b/x-pack/platform/plugins/private/telemetry_collection_xpack/schema/xpack_security.json index ca8fac92d505b..d27249f66cb9b 100644 --- a/x-pack/platform/plugins/private/telemetry_collection_xpack/schema/xpack_security.json +++ b/x-pack/platform/plugins/private/telemetry_collection_xpack/schema/xpack_security.json @@ -786,7 +786,7 @@ "notifications_disabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of notifications disabled" } }, "legacy_investigation_fields": { @@ -820,13 +820,13 @@ "two": { "type": "long", "_meta": { - "description": "Number of query rules configured with two suppression field" + "description": "Number of query rules configured with two suppression fields" } }, "three": { "type": "long", "_meta": { - "description": "Number of query rules configured with three suppression field" + "description": "Number of query rules configured with three suppression fields" } } } @@ -857,24 +857,176 @@ } } }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled query rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled query rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within query rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within query rules" + } + } + } + } + } + }, "has_exceptions": { "type": "long", "_meta": { "description": "Number of query rules with exceptions" } + } + } + }, + "query_custom": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of custom query rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of custom query rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by custom query rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to custom query detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom query detection rules with legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom query detection rules with legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom query detection rules with custom notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom query detection rules with custom notifications disabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of custom query detection rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom query rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom query rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom query rules configured do not suppress alerts with missing fields" + } + } + } }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled query rules configured with response actions" + "description": "Number of enabled custom query rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled query rules configured with response actions" + "description": "Number of disabled custom query rules configured with response actions" } }, "response_actions": { @@ -882,18 +1034,24 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within query rules" + "description": "Number of endpoint response actions within custom query rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within query rules" + "description": "Number of osquery response actions within custom query rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom query rules with exceptions" + } } } }, @@ -998,41 +1156,983 @@ "suppressed_per_rule_execution": { "type": "long", "_meta": { - "description": "Number of threshold rules configured with suppression per rule execution" + "description": "Number of threshold rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of threshold rules configured do not suppress alerts with missing fields" + } + } + } + }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled threshold rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled threshold rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within threshold rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within threshold rules" + } + } + } + } + } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of threshold rules with exceptions" + } + } + } + }, + "threshold_custom": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by custom threshold rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to custom threshold detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules with legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules with legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules with notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules with notifications disabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom threshold rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom threshold rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules configured do not suppress alerts with missing fields" + } + } + } + }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom threshold rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom threshold rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within custom threshold rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within custom threshold rules" + } + } + } + } + } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom threshold rules with exceptions" + } + } + } + }, + "eql": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of eql rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of eql rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by eql rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to eql detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled eql rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled eql rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of eql rules configured do not suppress alerts with missing fields" + } + } + } + }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled eql rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled eql rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within eql rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within eql rules" + } + } + } + } + } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of EQL rules with exceptions" + } + } + } + }, + "eql_custom": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by custom eql rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to custom eql detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom EQL rules with legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom EQL rules with legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom EQL rules with notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom EQL rules with notifications disabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of custom EQL rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom eql rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom eql rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom eql rules configured do not suppress alerts with missing fields" + } + } + } + }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom EQL rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom EQL rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within custom EQL rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within custom EQL rules" + } + } + } + } + } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom EQL rules with exceptions" + } + } + } + }, + "machine_learning": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by machine_learning rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to machine_learning detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled machine_learning rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled machine_learning rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of machine_learning rules configured do not suppress alerts with missing fields" + } + } + } + }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled ML rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled ML rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within ML rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within ML rules" + } + } + } + } + } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of ML rules with exceptions" + } + } + } + }, + "machine_learning_custom": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by custom machine_learning rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to custom machine_learning detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom ML rules with legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom ML rules with legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of custom ML rules with notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of custom ML rules with notifications disabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of custom ML rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom machine_learning rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom machine_learning rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured with suppression per rule execution" + } + }, + "suppresses_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured to suppress alerts with missing fields" + } + }, + "does_not_suppress_missing_fields": { + "type": "long", + "_meta": { + "description": "Number of custom machine_learning rules configured do not suppress alerts with missing fields" + } + } + } + }, + "response_actions": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled custom ML rules configured with response actions" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled custom ML rules configured with response actions" + } + }, + "response_actions": { + "properties": { + "endpoint": { + "type": "long", + "_meta": { + "description": "Number of endpoint response actions within custom ML rules" + } + }, + "osquery": { + "type": "long", + "_meta": { + "description": "Number of osquery response actions within custom ML rules" + } + } + } + } + } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom ML rules with exceptions" + } + } + } + }, + "threat_match": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by threat_match rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to threat_match detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + }, + "alert_suppression": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of enabled threat_match rules configured with suppression" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of disabled threat_match rules configured with suppression" + } + }, + "suppressed_fields_count": { + "properties": { + "one": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with one suppression field" + } + }, + "two": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with two suppression field" + } + }, + "three": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with three suppression field" + } + } + } + }, + "suppressed_per_time_period": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with suppression per time period" + } + }, + "suppressed_per_rule_execution": { + "type": "long", + "_meta": { + "description": "Number of threat_match rules configured with suppression per rule execution" } }, "suppresses_missing_fields": { "type": "long", "_meta": { - "description": "Number of threshold rules configured to suppress alerts with missing fields" + "description": "Number of threat_match rules configured to suppress alerts with missing fields" } }, "does_not_suppress_missing_fields": { "type": "long", "_meta": { - "description": "Number of threshold rules configured do not suppress alerts with missing fields" + "description": "Number of threat_match rules configured do not suppress alerts with missing fields" } } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of threshold rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled threshold rules configured with response actions" + "description": "Number of enabled threat match rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled threshold rules configured with response actions" + "description": "Number of disabled threat match rules configured with response actions" } }, "response_actions": { @@ -1040,75 +2140,81 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within threshold rules" + "description": "Number of endpoint response actions within threat match rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within threshold rules" + "description": "Number of osquery response actions within threat match rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of threat match rules with exceptions" + } } } }, - "eql": { + "threat_match_custom": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of eql rules enabled" + "description": "Number of custom threat_match rules enabled" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of eql rules disabled" + "description": "Number of custom threat_match rules disabled" } }, "alerts": { "type": "long", "_meta": { - "description": "Number of alerts generated by eql rules" + "description": "Number of alerts generated by custom threat_match rules" } }, "cases": { "type": "long", "_meta": { - "description": "Number of cases attached to eql detection rule alerts" + "description": "Number of cases attached to custom threat_match detection rule alerts" } }, "legacy_notifications_enabled": { "type": "long", "_meta": { - "description": "Number of legacy notifications enabled" + "description": "Number of custom IM rules with legacy notifications enabled" } }, "legacy_notifications_disabled": { "type": "long", "_meta": { - "description": "Number of legacy notifications disabled" + "description": "Number of custom IM rules with legacy notifications disabled" } }, "notifications_enabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of custom IM rules with notifications enabled" } }, "notifications_disabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of custom IM rules with notifications disabled" } }, "legacy_investigation_fields": { "type": "long", "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + "description": "Number of custom IM rules using the legacy investigation fields type introduced only in 8.10 ESS" } }, "alert_suppression": { @@ -1116,13 +2222,13 @@ "enabled": { "type": "long", "_meta": { - "description": "Number of enabled eql rules configured with suppression" + "description": "Number of enabled custom threat_match rules configured with suppression" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled eql rules configured with suppression" + "description": "Number of disabled custom threat_match rules configured with suppression" } }, "suppressed_fields_count": { @@ -1130,19 +2236,19 @@ "one": { "type": "long", "_meta": { - "description": "Number of eql rules configured with one suppression field" + "description": "Number of custom threat_match rules configured with one suppression field" } }, "two": { "type": "long", "_meta": { - "description": "Number of eql rules configured with two suppression field" + "description": "Number of custom threat_match rules configured with two suppression field" } }, "three": { "type": "long", "_meta": { - "description": "Number of eql rules configured with three suppression field" + "description": "Number of custom threat_match rules configured with three suppression field" } } } @@ -1150,47 +2256,41 @@ "suppressed_per_time_period": { "type": "long", "_meta": { - "description": "Number of eql rules configured with suppression per time period" + "description": "Number of custom threat_match rules configured with suppression per time period" } }, "suppressed_per_rule_execution": { "type": "long", "_meta": { - "description": "Number of eql rules configured with suppression per rule execution" + "description": "Number of custom threat_match rules configured with suppression per rule execution" } }, "suppresses_missing_fields": { "type": "long", "_meta": { - "description": "Number of eql rules configured to suppress alerts with missing fields" + "description": "Number of custom threat_match rules configured to suppress alerts with missing fields" } }, "does_not_suppress_missing_fields": { "type": "long", "_meta": { - "description": "Number of eql rules configured do not suppress alerts with missing fields" + "description": "Number of custom threat_match rules configured do not suppress alerts with missing fields" } } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of eql rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled eql rules configured with response actions" + "description": "Number of enabled custom threat match rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled eql rules configured with response actions" + "description": "Number of disabled custom threat match rules configured with response actions" } }, "response_actions": { @@ -1198,45 +2298,51 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within eql rules" + "description": "Number of endpoint response actions within custom threat match rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within eql rules" + "description": "Number of osquery response actions within custom threat match rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom threat match rules with exceptions" + } } } }, - "machine_learning": { + "new_terms": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of machine_learning rules enabled" + "description": "Number of new_terms rules enabled" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of machine_learning rules disabled" + "description": "Number of new_terms rules disabled" } }, "alerts": { "type": "long", "_meta": { - "description": "Number of alerts generated by machine_learning rules" + "description": "Number of alerts generated by new_terms rules" } }, "cases": { "type": "long", "_meta": { - "description": "Number of cases attached to machine_learning detection rule alerts" + "description": "Number of cases attached to new_terms detection rule alerts" } }, "legacy_notifications_enabled": { @@ -1274,13 +2380,13 @@ "enabled": { "type": "long", "_meta": { - "description": "Number of enabled machine_learning rules configured with suppression" + "description": "Number of enabled new_terms rules configured with suppression" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled machine_learning rules configured with suppression" + "description": "Number of disabled new_terms rules configured with suppression" } }, "suppressed_fields_count": { @@ -1288,19 +2394,19 @@ "one": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured with one suppression field" + "description": "Number of new_terms rules configured with one suppression field" } }, "two": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured with two suppression field" + "description": "Number of new_terms rules configured with two suppression field" } }, "three": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured with three suppression field" + "description": "Number of new_terms rules configured with three suppression field" } } } @@ -1308,47 +2414,41 @@ "suppressed_per_time_period": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured with suppression per time period" + "description": "Number of new_terms rules configured with suppression per time period" } }, "suppressed_per_rule_execution": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured with suppression per rule execution" + "description": "Number of new_terms rules configured with suppression per rule execution" } }, "suppresses_missing_fields": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured to suppress alerts with missing fields" + "description": "Number of new_terms rules configured to suppress alerts with missing fields" } }, "does_not_suppress_missing_fields": { "type": "long", "_meta": { - "description": "Number of machine_learning rules configured do not suppress alerts with missing fields" + "description": "Number of new_terms rules configured do not suppress alerts with missing fields" } } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of machine_learning rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled machine_learning rules configured with response actions" + "description": "Number of enabled new terms rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled machine_learning rules configured with response actions" + "description": "Number of disabled new terms rules configured with response actions" } }, "response_actions": { @@ -1356,75 +2456,81 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within machine_learning rules" + "description": "Number of endpoint response actions within new terms rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within machine_learning rules" + "description": "Number of osquery response actions within new terms rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of New Terms rules with exceptions" + } } } }, - "threat_match": { + "new_terms_custom": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of threat_match rules enabled" + "description": "Number of custom new_terms rules enabled" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of threat_match rules disabled" + "description": "Number of custom new_terms rules disabled" } }, "alerts": { "type": "long", "_meta": { - "description": "Number of alerts generated by threat_match rules" + "description": "Number of alerts generated by custom new_terms rules" } }, "cases": { "type": "long", "_meta": { - "description": "Number of cases attached to threat_match detection rule alerts" + "description": "Number of cases attached to custom new_terms detection rule alerts" } }, "legacy_notifications_enabled": { "type": "long", "_meta": { - "description": "Number of legacy notifications enabled" + "description": "Number of custom New Terms rules with legacy notifications enabled" } }, "legacy_notifications_disabled": { "type": "long", "_meta": { - "description": "Number of legacy notifications disabled" + "description": "Number of custom New Terms rules with legacy notifications disabled" } }, "notifications_enabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of custom New Terms rules with notifications enabled" } }, "notifications_disabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of custom New Terms rules with notifications disabled" } }, "legacy_investigation_fields": { "type": "long", "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + "description": "Number of custom New Terms rules using the legacy investigation fields type introduced only in 8.10 ESS" } }, "alert_suppression": { @@ -1432,13 +2538,13 @@ "enabled": { "type": "long", "_meta": { - "description": "Number of enabled threat_match rules configured with suppression" + "description": "Number of enabled custom new_terms rules configured with suppression" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled threat_match rules configured with suppression" + "description": "Number of disabled custom new_terms rules configured with suppression" } }, "suppressed_fields_count": { @@ -1446,19 +2552,19 @@ "one": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured with one suppression field" + "description": "Number of custom new_terms rules configured with one suppression field" } }, "two": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured with two suppression field" + "description": "Number of custom new_terms rules configured with two suppression field" } }, "three": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured with three suppression field" + "description": "Number of custom new_terms rules configured with three suppression field" } } } @@ -1466,47 +2572,41 @@ "suppressed_per_time_period": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured with suppression per time period" + "description": "Number of custom new_terms rules configured with suppression per time period" } }, "suppressed_per_rule_execution": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured with suppression per rule execution" + "description": "Number of custom new_terms rules configured with suppression per rule execution" } }, "suppresses_missing_fields": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured to suppress alerts with missing fields" + "description": "Number of custom new_terms rules configured to suppress alerts with missing fields" } }, "does_not_suppress_missing_fields": { "type": "long", "_meta": { - "description": "Number of threat_match rules configured do not suppress alerts with missing fields" + "description": "Number of custom new_terms rules configured do not suppress alerts with missing fields" } } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of threat_match rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled threat_match rules configured with response actions" + "description": "Number of enabled custom new terms rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled threat_match rules configured with response actions" + "description": "Number of disabled custom new terms rules configured with response actions" } }, "response_actions": { @@ -1514,45 +2614,51 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within threat_match rules" + "description": "Number of endpoint response actions within custom new terms rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within threat_match rules" + "description": "Number of osquery response actions within custom new terms rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom New Terms rules with exceptions" + } } } }, - "new_terms": { + "esql": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of new_terms rules enabled" + "description": "Number of esql rules enabled" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of new_terms rules disabled" + "description": "Number of esql rules disabled" } }, "alerts": { "type": "long", "_meta": { - "description": "Number of alerts generated by new_terms rules" + "description": "Number of alerts generated by esql rules" } }, "cases": { "type": "long", "_meta": { - "description": "Number of cases attached to new_terms detection rule alerts" + "description": "Number of cases attached to esql detection rule alerts" } }, "legacy_notifications_enabled": { @@ -1590,13 +2696,13 @@ "enabled": { "type": "long", "_meta": { - "description": "Number of enabled new_terms rules configured with suppression" + "description": "Number of enabled esql rules configured with suppression" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled new_terms rules configured with suppression" + "description": "Number of disabled esql rules configured with suppression" } }, "suppressed_fields_count": { @@ -1604,19 +2710,19 @@ "one": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured with one suppression field" + "description": "Number of esql rules configured with one suppression field" } }, "two": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured with two suppression field" + "description": "Number of esql rules configured with two suppression field" } }, "three": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured with three suppression field" + "description": "Number of esql rules configured with three suppression field" } } } @@ -1624,47 +2730,41 @@ "suppressed_per_time_period": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured with suppression per time period" + "description": "Number of esql rules configured with suppression per time period" } }, "suppressed_per_rule_execution": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured with suppression per rule execution" + "description": "Number of esql rules configured with suppression per rule execution" } }, "suppresses_missing_fields": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured to suppress alerts with missing fields" + "description": "Number of esql rules configured to suppress alerts with missing fields" } }, "does_not_suppress_missing_fields": { "type": "long", "_meta": { - "description": "Number of new_terms rules configured do not suppress alerts with missing fields" + "description": "Number of esql rules configured do not suppress alerts with missing fields" } } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of new_terms rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled new_term rules configured with response actions" + "description": "Number of enabled ES|QL rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled new_term rules configured with response actions" + "description": "Number of disabled ES|QL rules configured with response actions" } }, "response_actions": { @@ -1672,75 +2772,81 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within new_term rules" + "description": "Number of endpoint response actions within ES|QL rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within new_term rules" + "description": "Number of osquery response actions within ES|QL rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of ES|QL rules with exceptions" + } } } }, - "esql": { + "esql_custom": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of esql rules enabled" + "description": "Number of custom esql rules enabled" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of esql rules disabled" + "description": "Number of custom esql rules disabled" } }, "alerts": { "type": "long", "_meta": { - "description": "Number of alerts generated by esql rules" + "description": "Number of alerts generated by custom esql rules" } }, "cases": { "type": "long", "_meta": { - "description": "Number of cases attached to esql detection rule alerts" + "description": "Number of cases attached to custom esql detection rule alerts" } }, "legacy_notifications_enabled": { "type": "long", "_meta": { - "description": "Number of legacy notifications enabled" + "description": "Number of custom ES|QL rules with legacy notifications enabled" } }, "legacy_notifications_disabled": { "type": "long", "_meta": { - "description": "Number of legacy notifications disabled" + "description": "Number of custom ES|QL rules with legacy notifications disabled" } }, "notifications_enabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of custom ES|QL rules with notifications enabled" } }, "notifications_disabled": { "type": "long", "_meta": { - "description": "Number of notifications enabled" + "description": "Number of custom ES|QL rules with notifications disabled" } }, "legacy_investigation_fields": { "type": "long", "_meta": { - "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + "description": "Number of custom ES|QL rules using the legacy investigation fields type introduced only in 8.10 ESS" } }, "alert_suppression": { @@ -1748,13 +2854,13 @@ "enabled": { "type": "long", "_meta": { - "description": "Number of enabled esql rules configured with suppression" + "description": "Number of enabled custom esql rules configured with suppression" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled esql rules configured with suppression" + "description": "Number of disabled custom esql rules configured with suppression" } }, "suppressed_fields_count": { @@ -1762,19 +2868,19 @@ "one": { "type": "long", "_meta": { - "description": "Number of esql rules configured with one suppression field" + "description": "Number of custom esql rules configured with one suppression field" } }, "two": { "type": "long", "_meta": { - "description": "Number of esql rules configured with two suppression field" + "description": "Number of custom esql rules configured with two suppression field" } }, "three": { "type": "long", "_meta": { - "description": "Number of esql rules configured with three suppression field" + "description": "Number of custom esql rules configured with three suppression field" } } } @@ -1782,47 +2888,41 @@ "suppressed_per_time_period": { "type": "long", "_meta": { - "description": "Number of esql rules configured with suppression per time period" + "description": "Number of custom esql rules configured with suppression per time period" } }, "suppressed_per_rule_execution": { "type": "long", "_meta": { - "description": "Number of esql rules configured with suppression per rule execution" + "description": "Number of custom esql rules configured with suppression per rule execution" } }, "suppresses_missing_fields": { "type": "long", "_meta": { - "description": "Number of esql rules configured to suppress alerts with missing fields" + "description": "Number of custom esql rules configured to suppress alerts with missing fields" } }, "does_not_suppress_missing_fields": { "type": "long", "_meta": { - "description": "Number of esql rules configured do not suppress alerts with missing fields" + "description": "Number of custom esql rules configured do not suppress alerts with missing fields" } } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of esql rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled esql rules configured with response actions" + "description": "Number of enabled custom ES|QL rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled esql rules configured with response actions" + "description": "Number of disabled custom ES|QL rules configured with response actions" } }, "response_actions": { @@ -1830,18 +2930,24 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within esql rules" + "description": "Number of endpoint response actions within custom ES|QL rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within esql rules" + "description": "Number of osquery response actions within custom ES|QL rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom ES|QL rules with exceptions" + } } } }, @@ -1963,24 +3069,18 @@ } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of elastic rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { "type": "long", "_meta": { - "description": "Number of enabled elastic rules configured with response actions" + "description": "Number of enabled prebuilt rules configured with response actions" } }, "disabled": { "type": "long", "_meta": { - "description": "Number of disabled elastic rules configured with response actions" + "description": "Number of disabled prebuilt rules configured with response actions" } }, "response_actions": { @@ -1988,18 +3088,24 @@ "endpoint": { "type": "long", "_meta": { - "description": "Number of endpoint response actions within elastic rules" + "description": "Number of endpoint response actions within prebuilt rules" } }, "osquery": { "type": "long", "_meta": { - "description": "Number of osquery response actions within elastic rules" + "description": "Number of osquery response actions within prebuilt rules" } } } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of prebuilt rules with exceptions" + } } } }, @@ -2121,12 +3227,6 @@ } } }, - "has_exceptions": { - "type": "long", - "_meta": { - "description": "Number of custom rules with exceptions" - } - }, "response_actions": { "properties": { "enabled": { @@ -2158,6 +3258,12 @@ } } } + }, + "has_exceptions": { + "type": "long", + "_meta": { + "description": "Number of custom rules with exceptions" + } } } } @@ -2238,6 +3344,60 @@ "_meta": { "description": "True if this rule has a notification" } + }, + "has_legacy_investigation_field": { + "type": "boolean", + "_meta": { + "description": "True if this rule has a legacy investigation field" + } + }, + "has_alert_suppression_missing_fields_strategy_do_not_suppress": { + "type": "boolean", + "_meta": { + "description": "True if this rule has alert suppression missing fields strategy do not suppress" + } + }, + "has_alert_suppression_per_rule_execution": { + "type": "boolean", + "_meta": { + "description": "True if this rule has alert suppression per rule execution" + } + }, + "has_alert_suppression_per_time_period": { + "type": "boolean", + "_meta": { + "description": "True if this rule has alert suppression per time period" + } + }, + "alert_suppression_fields_count": { + "type": "long", + "_meta": { + "description": "The number of alert suppression fields for this rule" + } + }, + "has_response_actions": { + "type": "boolean", + "_meta": { + "description": "True if this rule has response actions" + } + }, + "has_response_actions_endpoint": { + "type": "boolean", + "_meta": { + "description": "True if this rule has endpoint response actions" + } + }, + "has_response_actions_osquery": { + "type": "boolean", + "_meta": { + "description": "True if this rule has osquery response actions" + } + }, + "has_exceptions": { + "type": "boolean", + "_meta": { + "description": "True if this rule has exceptions" + } } } } @@ -2309,19 +3469,19 @@ "max": { "type": "float", "_meta": { - "description": "The max duration" + "description": "The max duration of time spent indexing alerts" } }, "avg": { "type": "float", "_meta": { - "description": "The avg duration" + "description": "The avg duration of time spent indexing alerts" } }, "min": { "type": "float", "_meta": { - "description": "The min duration" + "description": "The min duration of time spent indexing alerts" } } } @@ -2331,19 +3491,19 @@ "max": { "type": "float", "_meta": { - "description": "The max duration" + "description": "The max duration of time spent searching alerts" } }, "avg": { "type": "float", "_meta": { - "description": "The avg duration" + "description": "The avg duration of time spent searching alerts" } }, "min": { "type": "float", "_meta": { - "description": "The min duration" + "description": "The min duration of time spent searching alerts" } } } @@ -2353,19 +3513,19 @@ "max": { "type": "float", "_meta": { - "description": "The max duration" + "description": "The max duration of time spent enriching alerts" } }, "avg": { "type": "float", "_meta": { - "description": "The avg duration" + "description": "The avg duration of time spent enriching alerts" } }, "min": { "type": "float", "_meta": { - "description": "The min duration" + "description": "The min duration of time spent enriching alerts" } } } diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/collector.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/collector.ts index ec780af1629bc..1862ac7f2513b 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/usage/collector.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/collector.ts @@ -14,6 +14,7 @@ import { getEndpointMetrics } from './endpoint/get_metrics'; import { getDashboardMetrics } from './dashboards/get_dashboards_metrics'; import { riskEngineMetricsSchema } from './risk_engine/schema'; import { getRiskEngineMetrics } from './risk_engine/get_risk_engine_metrics'; +import { rulesMetricsSchema } from './detections/rules/schema'; import { getExceptionsMetrics } from './exceptions/get_metrics'; import { exceptionsMetricsSchema } from './exceptions/schema'; import { valueListsMetricsSchema } from './value_lists/schema'; @@ -49,3746 +50,7 @@ export const registerCollector: RegisterCollector = ({ type: 'security_solution', schema: { detectionMetrics: { - detection_rules: { - spaces_usage: { - total: { - type: 'long', - _meta: { description: 'Total number of spaces where detection rules added' }, - }, - rules_in_spaces: { - type: 'array', - items: { - type: 'long', - _meta: { description: 'Number of rules is each space' }, - }, - }, - }, - detection_rule_usage: { - query: { - enabled: { type: 'long', _meta: { description: 'Number of query rules enabled' } }, - disabled: { type: 'long', _meta: { description: 'Number of query rules disabled' } }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by query rules' }, - }, - cases: { - type: 'long', - _meta: { description: 'Number of cases attached to query detection rule alerts' }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled query rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled query rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: 'Number of query rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: 'Number of query rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: 'Number of query rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of query rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of query rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of query rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of query rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of query rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled query rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled query rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within query rules', - }, - }, - osquery: { - type: 'long', - _meta: { description: 'Number of osquery response actions within query rules' }, - }, - }, - }, - }, - threshold: { - enabled: { - type: 'long', - _meta: { description: 'Number of threshold rules enabled' }, - }, - disabled: { - type: 'long', - _meta: { description: 'Number of threshold rules disabled' }, - }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by threshold rules' }, - }, - cases: { - type: 'long', - _meta: { - description: 'Number of cases attached to threshold detection rule alerts', - }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled threshold rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled threshold rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of threshold rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of threshold rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: - 'Number of enabled threshold rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled threshold rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within threshold rules', - }, - }, - osquery: { - type: 'long', - _meta: { - description: 'Number of osquery response actions within threshold rules', - }, - }, - }, - }, - }, - eql: { - enabled: { type: 'long', _meta: { description: 'Number of eql rules enabled' } }, - disabled: { type: 'long', _meta: { description: 'Number of eql rules disabled' } }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by eql rules' }, - }, - cases: { - type: 'long', - _meta: { description: 'Number of cases attached to eql detection rule alerts' }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled eql rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled eql rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: 'Number of eql rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: 'Number of eql rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: 'Number of eql rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: 'Number of eql rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of eql rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of eql rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of eql rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of eql rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled eql rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled eql rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within eql rules', - }, - }, - osquery: { - type: 'long', - _meta: { description: 'Number of osquery response actions within eql rules' }, - }, - }, - }, - }, - machine_learning: { - enabled: { - type: 'long', - _meta: { description: 'Number of machine_learning rules enabled' }, - }, - disabled: { - type: 'long', - _meta: { description: 'Number of machine_learning rules disabled' }, - }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by machine_learning rules' }, - }, - cases: { - type: 'long', - _meta: { - description: 'Number of cases attached to machine_learning detection rule alerts', - }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: - 'Number of enabled machine_learning rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled machine_learning rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of machine_learning rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of machine_learning rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: - 'Number of enabled machine_learning rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled machine_learning rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: - 'Number of endpoint response actions within machine_learning rules', - }, - }, - osquery: { - type: 'long', - _meta: { - description: - 'Number of osquery response actions within machine_learning rules', - }, - }, - }, - }, - }, - threat_match: { - enabled: { - type: 'long', - _meta: { description: 'Number of threat_match rules enabled' }, - }, - disabled: { - type: 'long', - _meta: { description: 'Number of threat_match rules disabled' }, - }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by threat_match rules' }, - }, - cases: { - type: 'long', - _meta: { - description: 'Number of cases attached to threat_match detection rule alerts', - }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled threat_match rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled threat_match rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of threat_match rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of threat_match rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: - 'Number of enabled threat_match rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled threat_match rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within threat_match rules', - }, - }, - osquery: { - type: 'long', - _meta: { - description: 'Number of osquery response actions within threat_match rules', - }, - }, - }, - }, - }, - new_terms: { - enabled: { - type: 'long', - _meta: { description: 'Number of new_terms rules enabled' }, - }, - disabled: { - type: 'long', - _meta: { description: 'Number of new_terms rules disabled' }, - }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by new_terms rules' }, - }, - cases: { - type: 'long', - _meta: { - description: 'Number of cases attached to new_terms detection rule alerts', - }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled new_terms rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled new_terms rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of new_terms rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of new_terms rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: - 'Number of enabled new_term rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled new_term rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within new_term rules', - }, - }, - osquery: { - type: 'long', - _meta: { - description: 'Number of osquery response actions within new_term rules', - }, - }, - }, - }, - }, - esql: { - enabled: { - type: 'long', - _meta: { description: 'Number of esql rules enabled' }, - }, - disabled: { - type: 'long', - _meta: { description: 'Number of esql rules disabled' }, - }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by esql rules' }, - }, - cases: { - type: 'long', - _meta: { - description: 'Number of cases attached to esql detection rule alerts', - }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled esql rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled esql rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: 'Number of esql rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: 'Number of esql rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: 'Number of esql rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: 'Number of esql rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of esql rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of esql rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of esql rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of esql rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled esql rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled esql rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within esql rules', - }, - }, - osquery: { - type: 'long', - _meta: { description: 'Number of osquery response actions within esql rules' }, - }, - }, - }, - }, - elastic_total: { - enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } }, - disabled: { - type: 'long', - _meta: { description: 'Number of elastic rules disabled' }, - }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by elastic rules' }, - }, - cases: { - type: 'long', - _meta: { description: 'Number of cases attached to elastic detection rule alerts' }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled elastic rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled elastic rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: 'Number of elastic rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: 'Number of elastic rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: - 'Number of elastic rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of elastic rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of elastic rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of elastic rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of elastic rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of elastic rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled elastic rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: - 'Number of disabled elastic rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within elastic rules', - }, - }, - osquery: { - type: 'long', - _meta: { - description: 'Number of osquery response actions within elastic rules', - }, - }, - }, - }, - }, - custom_total: { - enabled: { type: 'long', _meta: { description: 'Number of custom rules enabled' } }, - disabled: { type: 'long', _meta: { description: 'Number of custom rules disabled' } }, - alerts: { - type: 'long', - _meta: { description: 'Number of alerts generated by custom rules' }, - }, - cases: { - type: 'long', - _meta: { description: 'Number of cases attached to custom detection rule alerts' }, - }, - legacy_notifications_enabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications enabled' }, - }, - legacy_notifications_disabled: { - type: 'long', - _meta: { description: 'Number of legacy notifications disabled' }, - }, - notifications_enabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - notifications_disabled: { - type: 'long', - _meta: { description: 'Number of notifications enabled' }, - }, - legacy_investigation_fields: { - type: 'long', - _meta: { - description: - 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', - }, - }, - alert_suppression: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled custom rules configured with suppression', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled custom rules configured with suppression', - }, - }, - suppressed_fields_count: { - one: { - type: 'long', - _meta: { - description: 'Number of custom rules configured with one suppression field', - }, - }, - two: { - type: 'long', - _meta: { - description: 'Number of custom rules configured with two suppression field', - }, - }, - three: { - type: 'long', - _meta: { - description: 'Number of custom rules configured with three suppression field', - }, - }, - }, - suppressed_per_time_period: { - type: 'long', - _meta: { - description: - 'Number of custom rules configured with suppression per time period', - }, - }, - suppressed_per_rule_execution: { - type: 'long', - _meta: { - description: - 'Number of custom rules configured with suppression per rule execution', - }, - }, - suppresses_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of custom rules configured to suppress alerts with missing fields', - }, - }, - does_not_suppress_missing_fields: { - type: 'long', - _meta: { - description: - 'Number of custom rules configured do not suppress alerts with missing fields', - }, - }, - }, - has_exceptions: { - type: 'long', - _meta: { description: 'Number of custom rules with exceptions' }, - }, - response_actions: { - enabled: { - type: 'long', - _meta: { - description: 'Number of enabled custom rules configured with response actions', - }, - }, - disabled: { - type: 'long', - _meta: { - description: 'Number of disabled custom rules configured with response actions', - }, - }, - response_actions: { - endpoint: { - type: 'long', - _meta: { - description: 'Number of endpoint response actions within custom rules', - }, - }, - osquery: { - type: 'long', - _meta: { - description: 'Number of osquery response actions within custom rules', - }, - }, - }, - }, - }, - }, - detection_rule_detail: { - type: 'array', - items: { - rule_name: { - type: 'keyword', - _meta: { description: 'The name of the detection rule' }, - }, - rule_id: { - type: 'keyword', - _meta: { description: 'The UUID id of the detection rule' }, - }, - rule_type: { - type: 'keyword', - _meta: { description: 'The type of detection rule. ie eql, query...' }, - }, - rule_version: { type: 'long', _meta: { description: 'The version of the rule' } }, - enabled: { - type: 'boolean', - _meta: { description: 'If the detection rule has been enabled by the user' }, - }, - elastic_rule: { - type: 'boolean', - _meta: { description: 'If the detection rule has been authored by Elastic' }, - }, - created_on: { - type: 'keyword', - _meta: { description: 'When the detection rule was created on the cluster' }, - }, - updated_on: { - type: 'keyword', - _meta: { description: 'When the detection rule was updated on the cluster' }, - }, - alert_count_daily: { - type: 'long', - _meta: { description: 'The number of daily alerts generated by a rule' }, - }, - cases_count_total: { - type: 'long', - _meta: { description: 'The number of total cases generated by a rule' }, - }, - has_legacy_notification: { - type: 'boolean', - _meta: { description: 'True if this rule has a legacy notification' }, - }, - has_notification: { - type: 'boolean', - _meta: { description: 'True if this rule has a notification' }, - }, - }, - }, - detection_rule_status: { - all_rules: { - eql: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - new_terms: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - esql: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - threat_match: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - machine_learning: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - query: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - saved_query: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - threshold: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - total: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of succeeded rules' }, - }, - }, - }, - elastic_rules: { - eql: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - new_terms: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - esql: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - threat_match: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - machine_learning: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - query: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - saved_query: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - threshold: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - total: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of succeeded rules' }, - }, - }, - }, - custom_rules: { - eql: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - new_terms: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - esql: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - threat_match: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - machine_learning: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - query: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - saved_query: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - threshold: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - top_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - top_partial_failures: { - type: 'array', - items: { - message: { - type: 'keyword', - _meta: { description: 'Failed rule message' }, - }, - count: { - type: 'long', - _meta: { description: 'Number of times the message occurred' }, - }, - }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of successful rules' }, - }, - index_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - search_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - enrichment_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_duration: { - max: { - type: 'float', - _meta: { description: 'The max duration' }, - }, - avg: { - type: 'float', - _meta: { description: 'The avg duration' }, - }, - min: { - type: 'float', - _meta: { description: 'The min duration' }, - }, - }, - gap_count: { - type: 'long', - _meta: { description: 'The count of gaps' }, - }, - }, - total: { - failures: { - type: 'long', - _meta: { description: 'The number of failed rules' }, - }, - partial_failures: { - type: 'long', - _meta: { description: 'The number of partial failure rules' }, - }, - succeeded: { - type: 'long', - _meta: { description: 'The number of succeeded rules' }, - }, - }, - }, - }, - }, + detection_rules: rulesMetricsSchema, ml_jobs: { ml_job_usage: { custom: { diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/get_metrics.test.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/get_metrics.test.ts index 5eccb14188fdf..186df46917d39 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/get_metrics.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/get_metrics.test.ts @@ -214,6 +214,20 @@ describe('Detections Usage and Metrics', () => { has_exceptions: 0, response_actions: initialResponseActionsUsage, }, + query_custom: { + alerts: 800, + cases: 1, + disabled: 1, + enabled: 0, + legacy_notifications_enabled: 0, + legacy_notifications_disabled: 0, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_investigation_fields: 0, + alert_suppression: initialAlertSuppression, + response_actions: initialResponseActionsUsage, + has_exceptions: 0, + }, }, }, }); diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts index 2c047bcd8ce9e..9ec06a29eb27c 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts @@ -13,6 +13,7 @@ import type { SingleEventMetric, AlertSuppressionUsage, SpacesUsage, + FeatureTypeUsage, ResponseActionsUsage, } from './types'; @@ -44,136 +45,41 @@ export const getInitialSpacesUsage = (): SpacesUsage => ({ rules_in_spaces: [], }); +export const getInitialFeatureTypeUsage = (): FeatureTypeUsage => ({ + enabled: 0, + disabled: 0, + alerts: 0, + cases: 0, + legacy_notifications_enabled: 0, + legacy_notifications_disabled: 0, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_investigation_fields: 0, + alert_suppression: initialAlertSuppression, + response_actions: initialResponseActionsUsage, + has_exceptions: 0, +}); + /** * Default detection rule usage count, split by type + elastic/custom */ export const getInitialRulesUsage = (): RulesTypeUsage => ({ - query: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - threshold: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - eql: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - machine_learning: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - threat_match: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - new_terms: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - esql: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - elastic_total: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, - custom_total: { - enabled: 0, - disabled: 0, - alerts: 0, - cases: 0, - legacy_notifications_enabled: 0, - legacy_notifications_disabled: 0, - notifications_enabled: 0, - notifications_disabled: 0, - legacy_investigation_fields: 0, - alert_suppression: initialAlertSuppression, - has_exceptions: 0, - response_actions: initialResponseActionsUsage, - }, + query: getInitialFeatureTypeUsage(), + query_custom: getInitialFeatureTypeUsage(), + threshold: getInitialFeatureTypeUsage(), + threshold_custom: getInitialFeatureTypeUsage(), + eql: getInitialFeatureTypeUsage(), + eql_custom: getInitialFeatureTypeUsage(), + machine_learning: getInitialFeatureTypeUsage(), + machine_learning_custom: getInitialFeatureTypeUsage(), + threat_match: getInitialFeatureTypeUsage(), + threat_match_custom: getInitialFeatureTypeUsage(), + new_terms: getInitialFeatureTypeUsage(), + new_terms_custom: getInitialFeatureTypeUsage(), + esql: getInitialFeatureTypeUsage(), + esql_custom: getInitialFeatureTypeUsage(), + elastic_total: getInitialFeatureTypeUsage(), + custom_total: getInitialFeatureTypeUsage(), }); /** diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schema.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schema.ts new file mode 100644 index 0000000000000..9ea9068987c84 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schema.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { MakeSchemaFrom } from '@kbn/usage-collection-plugin/server'; +import { ruleTypeUsageSchema } from './schemas/detection_rule_usage'; +import { ruleMetricsSchema } from './schemas/prebuilt_rule_detail'; +import { ruleStatusMetricsSchema } from './schemas/detection_rule_status'; +import type { RuleAdoption } from './types'; + +export const rulesMetricsSchema: MakeSchemaFrom = { + spaces_usage: { + total: { + type: 'long', + _meta: { description: 'Total number of spaces where detection rules added' }, + }, + rules_in_spaces: { + type: 'array', + items: { + type: 'long', + _meta: { description: 'Number of rules is each space' }, + }, + }, + }, + detection_rule_usage: ruleTypeUsageSchema, + detection_rule_detail: { + type: 'array', + items: ruleMetricsSchema, + }, + detection_rule_status: ruleStatusMetricsSchema, +}; diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/detection_rule_status.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/detection_rule_status.ts new file mode 100644 index 0000000000000..31471c559e5df --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/detection_rule_status.ts @@ -0,0 +1,2460 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { MakeSchemaFrom } from '@kbn/usage-collection-plugin/server'; +import type { EventLogStatusMetric } from '../types'; + +export const ruleStatusMetricsSchema: MakeSchemaFrom = { + all_rules: { + eql: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration of time spent indexing alerts' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration of time spent indexing alerts' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration of time spent indexing alerts' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration of time spent searching alerts' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration of time spent searching alerts' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration of time spent searching alerts' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration of time spent enriching alerts' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration of time spent enriching alerts' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration of time spent enriching alerts' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + new_terms: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + esql: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + threat_match: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + machine_learning: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + query: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + saved_query: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + threshold: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + total: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of succeeded rules' }, + }, + }, + }, + elastic_rules: { + eql: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + new_terms: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + esql: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + threat_match: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + machine_learning: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + query: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + saved_query: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + threshold: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + total: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of succeeded rules' }, + }, + }, + }, + custom_rules: { + eql: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + new_terms: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + esql: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + threat_match: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + machine_learning: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + query: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + saved_query: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + threshold: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + top_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + top_partial_failures: { + type: 'array', + items: { + message: { + type: 'keyword', + _meta: { description: 'Failed rule message' }, + }, + count: { + type: 'long', + _meta: { description: 'Number of times the message occurred' }, + }, + }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of successful rules' }, + }, + index_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + search_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + enrichment_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_duration: { + max: { + type: 'float', + _meta: { description: 'The max duration' }, + }, + avg: { + type: 'float', + _meta: { description: 'The avg duration' }, + }, + min: { + type: 'float', + _meta: { description: 'The min duration' }, + }, + }, + gap_count: { + type: 'long', + _meta: { description: 'The count of gaps' }, + }, + }, + total: { + failures: { + type: 'long', + _meta: { description: 'The number of failed rules' }, + }, + partial_failures: { + type: 'long', + _meta: { description: 'The number of partial failure rules' }, + }, + succeeded: { + type: 'long', + _meta: { description: 'The number of succeeded rules' }, + }, + }, + }, +}; diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/detection_rule_usage.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/detection_rule_usage.ts new file mode 100644 index 0000000000000..d8ff171afa3f6 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/detection_rule_usage.ts @@ -0,0 +1,2124 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { MakeSchemaFrom } from '@kbn/usage-collection-plugin/server'; +import type { RulesTypeUsage } from '../types'; + +export const ruleTypeUsageSchema: MakeSchemaFrom = { + query: { + enabled: { type: 'long', _meta: { description: 'Number of query rules enabled' } }, + disabled: { type: 'long', _meta: { description: 'Number of query rules disabled' } }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by query rules' }, + }, + cases: { + type: 'long', + _meta: { description: 'Number of cases attached to query detection rule alerts' }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled query rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled query rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of query rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of query rules configured with two suppression fields', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of query rules configured with three suppression fields', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of query rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of query rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: 'Number of query rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of query rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled query rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled query rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within query rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within query rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of query rules with exceptions' }, + }, + }, + query_custom: { + enabled: { type: 'long', _meta: { description: 'Number of custom query rules enabled' } }, + disabled: { type: 'long', _meta: { description: 'Number of custom query rules disabled' } }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom query rules' }, + }, + cases: { + type: 'long', + _meta: { description: 'Number of cases attached to custom query detection rule alerts' }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { + description: 'Number of custom query detection rules with legacy notifications enabled', + }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { + description: 'Number of custom query detection rules with legacy notifications disabled', + }, + }, + notifications_enabled: { + type: 'long', + _meta: { + description: 'Number of custom query detection rules with custom notifications enabled', + }, + }, + notifications_disabled: { + type: 'long', + _meta: { + description: 'Number of custom query detection rules with custom notifications disabled', + }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom query detection rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom query rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom query rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of custom query rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of custom query rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of custom query rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of custom query rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of custom query rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom query rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom query rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom query rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom query rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom query rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within custom query rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom query rules with exceptions' }, + }, + }, + threshold: { + enabled: { + type: 'long', + _meta: { description: 'Number of threshold rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of threshold rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by threshold rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to threshold detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled threshold rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled threshold rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of threshold rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of threshold rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of threshold rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of threshold rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of threshold rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of threshold rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of threshold rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled threshold rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled threshold rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within threshold rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within threshold rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of threshold rules with exceptions' }, + }, + }, + threshold_custom: { + enabled: { + type: 'long', + _meta: { description: 'Number of custom threshold rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of custom threshold rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom threshold rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to custom threshold detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom threshold rules with legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom threshold rules with legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom threshold rules with notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom threshold rules with notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom threshold rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom threshold rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom threshold rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of custom threshold rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of custom threshold rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of custom threshold rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: + 'Number of custom threshold rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of custom threshold rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom threshold rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom threshold rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom threshold rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom threshold rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom threshold rules', + }, + }, + osquery: { + type: 'long', + _meta: { + description: 'Number of osquery response actions within custom threshold rules', + }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom threshold rules with exceptions' }, + }, + }, + eql: { + enabled: { type: 'long', _meta: { description: 'Number of eql rules enabled' } }, + disabled: { type: 'long', _meta: { description: 'Number of eql rules disabled' } }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by eql rules' }, + }, + cases: { + type: 'long', + _meta: { description: 'Number of cases attached to eql detection rule alerts' }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled eql rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled eql rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of eql rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of eql rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of eql rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of eql rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of eql rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: 'Number of eql rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: 'Number of eql rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled eql rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled eql rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within eql rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within eql rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of EQL rules with exceptions' }, + }, + }, + eql_custom: { + enabled: { type: 'long', _meta: { description: 'Number of custom eql rules enabled' } }, + disabled: { type: 'long', _meta: { description: 'Number of custom eql rules disabled' } }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom eql rules' }, + }, + cases: { + type: 'long', + _meta: { description: 'Number of cases attached to custom eql detection rule alerts' }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom EQL rules with legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom EQL rules with legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom EQL rules with notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom EQL rules with notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom EQL rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom eql rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom eql rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of custom eql rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of custom eql rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of custom eql rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of custom eql rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of custom eql rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom eql rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom eql rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom EQL rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom EQL rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom EQL rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within custom EQL rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom EQL rules with exceptions' }, + }, + }, + machine_learning: { + enabled: { + type: 'long', + _meta: { description: 'Number of machine_learning rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of machine_learning rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by machine_learning rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to machine_learning detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled machine_learning rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled machine_learning rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of machine_learning rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of machine_learning rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of machine_learning rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: + 'Number of machine_learning rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of machine_learning rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of machine_learning rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of machine_learning rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled ML rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled ML rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within ML rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within ML rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of ML rules with exceptions' }, + }, + }, + machine_learning_custom: { + enabled: { + type: 'long', + _meta: { description: 'Number of custom machine_learning rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of custom machine_learning rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom machine_learning rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to custom machine_learning detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom ML rules with legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom ML rules with legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom ML rules with notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom ML rules with notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom ML rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: + 'Number of enabled custom machine_learning rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: + 'Number of disabled custom machine_learning rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom machine_learning rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom ML rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom ML rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom ML rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within custom ML rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom ML rules with exceptions' }, + }, + }, + threat_match: { + enabled: { + type: 'long', + _meta: { description: 'Number of threat_match rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of threat_match rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by threat_match rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to threat_match detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled threat_match rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled threat_match rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of threat_match rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of threat_match rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of threat_match rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of threat_match rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of threat_match rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of threat_match rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of threat_match rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled threat match rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled threat match rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within threat match rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within threat match rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of threat match rules with exceptions' }, + }, + }, + threat_match_custom: { + enabled: { + type: 'long', + _meta: { description: 'Number of custom threat_match rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of custom threat_match rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom threat_match rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to custom threat_match detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom IM rules with legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom IM rules with legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom IM rules with notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom IM rules with notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom IM rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom threat_match rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom threat_match rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom threat_match rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: + 'Number of enabled custom threat match rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: + 'Number of disabled custom threat match rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom threat match rules', + }, + }, + osquery: { + type: 'long', + _meta: { + description: 'Number of osquery response actions within custom threat match rules', + }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom threat match rules with exceptions' }, + }, + }, + new_terms: { + enabled: { + type: 'long', + _meta: { description: 'Number of new_terms rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of new_terms rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by new_terms rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to new_terms detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled new_terms rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled new_terms rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of new_terms rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of new_terms rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of new_terms rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of new_terms rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of new_terms rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of new_terms rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of new_terms rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled new terms rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled new terms rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within new terms rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within new terms rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of New Terms rules with exceptions' }, + }, + }, + new_terms_custom: { + enabled: { + type: 'long', + _meta: { description: 'Number of custom new_terms rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of custom new_terms rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom new_terms rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to custom new_terms detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom New Terms rules with legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom New Terms rules with legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom New Terms rules with notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom New Terms rules with notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom New Terms rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom new_terms rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom new_terms rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of custom new_terms rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of custom new_terms rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of custom new_terms rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: + 'Number of custom new_terms rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: + 'Number of custom new_terms rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom new_terms rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom new_terms rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom new terms rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom new terms rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom new terms rules', + }, + }, + osquery: { + type: 'long', + _meta: { + description: 'Number of osquery response actions within custom new terms rules', + }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom New Terms rules with exceptions' }, + }, + }, + esql: { + enabled: { + type: 'long', + _meta: { description: 'Number of esql rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of esql rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by esql rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to esql detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled esql rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled esql rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of esql rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of esql rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of esql rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of esql rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of esql rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: 'Number of esql rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: 'Number of esql rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled ES|QL rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled ES|QL rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within ES|QL rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within ES|QL rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of ES|QL rules with exceptions' }, + }, + }, + esql_custom: { + enabled: { + type: 'long', + _meta: { description: 'Number of custom esql rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of custom esql rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom esql rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to custom esql detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom ES|QL rules with legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom ES|QL rules with legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of custom ES|QL rules with notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of custom ES|QL rules with notifications disabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of custom ES|QL rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom esql rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom esql rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of custom esql rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of custom esql rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of custom esql rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of custom esql rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of custom esql rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom esql rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom esql rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom ES|QL rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom ES|QL rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom ES|QL rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within custom ES|QL rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom ES|QL rules with exceptions' }, + }, + }, + elastic_total: { + enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } }, + disabled: { + type: 'long', + _meta: { description: 'Number of elastic rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by elastic rules' }, + }, + cases: { + type: 'long', + _meta: { description: 'Number of cases attached to elastic detection rule alerts' }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled elastic rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled elastic rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of elastic rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of elastic rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of elastic rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of elastic rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of elastic rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: 'Number of elastic rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of elastic rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled prebuilt rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled prebuilt rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within prebuilt rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within prebuilt rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of prebuilt rules with exceptions' }, + }, + }, + custom_total: { + enabled: { type: 'long', _meta: { description: 'Number of custom rules enabled' } }, + disabled: { type: 'long', _meta: { description: 'Number of custom rules disabled' } }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by custom rules' }, + }, + cases: { + type: 'long', + _meta: { description: 'Number of cases attached to custom detection rule alerts' }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + alert_suppression: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom rules configured with suppression', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom rules configured with suppression', + }, + }, + suppressed_fields_count: { + one: { + type: 'long', + _meta: { + description: 'Number of custom rules configured with one suppression field', + }, + }, + two: { + type: 'long', + _meta: { + description: 'Number of custom rules configured with two suppression field', + }, + }, + three: { + type: 'long', + _meta: { + description: 'Number of custom rules configured with three suppression field', + }, + }, + }, + suppressed_per_time_period: { + type: 'long', + _meta: { + description: 'Number of custom rules configured with suppression per time period', + }, + }, + suppressed_per_rule_execution: { + type: 'long', + _meta: { + description: 'Number of custom rules configured with suppression per rule execution', + }, + }, + suppresses_missing_fields: { + type: 'long', + _meta: { + description: 'Number of custom rules configured to suppress alerts with missing fields', + }, + }, + does_not_suppress_missing_fields: { + type: 'long', + _meta: { + description: + 'Number of custom rules configured do not suppress alerts with missing fields', + }, + }, + }, + response_actions: { + enabled: { + type: 'long', + _meta: { + description: 'Number of enabled custom rules configured with response actions', + }, + }, + disabled: { + type: 'long', + _meta: { + description: 'Number of disabled custom rules configured with response actions', + }, + }, + response_actions: { + endpoint: { + type: 'long', + _meta: { + description: 'Number of endpoint response actions within custom rules', + }, + }, + osquery: { + type: 'long', + _meta: { description: 'Number of osquery response actions within custom rules' }, + }, + }, + }, + has_exceptions: { + type: 'long', + _meta: { description: 'Number of custom rules with exceptions' }, + }, + }, +}; diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/prebuilt_rule_detail.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/prebuilt_rule_detail.ts new file mode 100644 index 0000000000000..ab03b53986cb4 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/schemas/prebuilt_rule_detail.ts @@ -0,0 +1,96 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { MakeSchemaFrom } from '@kbn/usage-collection-plugin/server'; +import type { RuleMetric } from '../types'; + +export const ruleMetricsSchema: MakeSchemaFrom = { + rule_name: { + type: 'keyword', + _meta: { description: 'The name of the detection rule' }, + }, + rule_id: { + type: 'keyword', + _meta: { description: 'The UUID id of the detection rule' }, + }, + rule_type: { + type: 'keyword', + _meta: { description: 'The type of detection rule. ie eql, query...' }, + }, + rule_version: { type: 'long', _meta: { description: 'The version of the rule' } }, + enabled: { + type: 'boolean', + _meta: { description: 'If the detection rule has been enabled by the user' }, + }, + elastic_rule: { + type: 'boolean', + _meta: { description: 'If the detection rule has been authored by Elastic' }, + }, + created_on: { + type: 'keyword', + _meta: { description: 'When the detection rule was created on the cluster' }, + }, + updated_on: { + type: 'keyword', + _meta: { description: 'When the detection rule was updated on the cluster' }, + }, + alert_count_daily: { + type: 'long', + _meta: { description: 'The number of daily alerts generated by a rule' }, + }, + cases_count_total: { + type: 'long', + _meta: { description: 'The number of total cases generated by a rule' }, + }, + has_legacy_notification: { + type: 'boolean', + _meta: { description: 'True if this rule has a legacy notification' }, + }, + has_notification: { + type: 'boolean', + _meta: { description: 'True if this rule has a notification' }, + }, + has_legacy_investigation_field: { + type: 'boolean', + _meta: { description: 'True if this rule has a legacy investigation field' }, + }, + has_alert_suppression_missing_fields_strategy_do_not_suppress: { + type: 'boolean', + _meta: { + description: + 'True if this rule has alert suppression missing fields strategy do not suppress', + }, + }, + has_alert_suppression_per_rule_execution: { + type: 'boolean', + _meta: { description: 'True if this rule has alert suppression per rule execution' }, + }, + has_alert_suppression_per_time_period: { + type: 'boolean', + _meta: { description: 'True if this rule has alert suppression per time period' }, + }, + alert_suppression_fields_count: { + type: 'long', + _meta: { description: 'The number of alert suppression fields for this rule' }, + }, + has_response_actions: { + type: 'boolean', + _meta: { description: 'True if this rule has response actions' }, + }, + has_response_actions_endpoint: { + type: 'boolean', + _meta: { description: 'True if this rule has endpoint response actions' }, + }, + has_response_actions_osquery: { + type: 'boolean', + _meta: { description: 'True if this rule has osquery response actions' }, + }, + has_exceptions: { + type: 'boolean', + _meta: { description: 'True if this rule has exceptions' }, + }, +}; diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/types.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/types.ts index 133abbc4ffa31..7e9eec0bcf9e5 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/types.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/types.ts @@ -45,14 +45,21 @@ export interface FeatureTypeUsage { export interface RulesTypeUsage { query: FeatureTypeUsage; + query_custom: FeatureTypeUsage; threshold: FeatureTypeUsage; + threshold_custom: FeatureTypeUsage; eql: FeatureTypeUsage; + eql_custom: FeatureTypeUsage; machine_learning: FeatureTypeUsage; + machine_learning_custom: FeatureTypeUsage; threat_match: FeatureTypeUsage; + threat_match_custom: FeatureTypeUsage; new_terms: FeatureTypeUsage; + new_terms_custom: FeatureTypeUsage; elastic_total: FeatureTypeUsage; custom_total: FeatureTypeUsage; esql: FeatureTypeUsage; + esql_custom: FeatureTypeUsage; } export interface SpacesUsage { diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts index 018e74f4c29f9..0cd7d57c535f8 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts @@ -396,6 +396,39 @@ describe('Detections Usage and Metrics', () => { }, }, }, + machine_learning_custom: { + alerts: 0, + cases: 10, + disabled: 1, + enabled: 0, + legacy_notifications_enabled: 0, + legacy_notifications_disabled: 0, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_investigation_fields: 0, + alert_suppression: { + disabled: 1, + does_not_suppress_missing_fields: 1, + enabled: 0, + suppressed_fields_count: { + one: 0, + three: 0, + two: 1, + }, + suppressed_per_rule_execution: 0, + suppressed_per_time_period: 1, + suppresses_missing_fields: 0, + }, + response_actions: { + enabled: 0, + disabled: 0, + response_actions: { + endpoint: 0, + osquery: 0, + }, + }, + has_exceptions: 1, + }, query: { alerts: 10, cases: 4, @@ -429,6 +462,39 @@ describe('Detections Usage and Metrics', () => { }, }, }, + query_custom: { + alerts: 5, + cases: 2, + disabled: 0, + enabled: 1, + legacy_notifications_enabled: 0, + legacy_notifications_disabled: 0, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_investigation_fields: 0, + alert_suppression: { + disabled: 0, + does_not_suppress_missing_fields: 1, + enabled: 1, + suppressed_fields_count: { + one: 0, + three: 0, + two: 1, + }, + suppressed_per_rule_execution: 0, + suppressed_per_time_period: 1, + suppresses_missing_fields: 0, + }, + response_actions: { + enabled: 0, + disabled: 0, + response_actions: { + endpoint: 0, + osquery: 0, + }, + }, + has_exceptions: 1, + }, }); }); diff --git a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.ts b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.ts index 4c08e1ddc9cc0..88297a6cc4b32 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/update_usage.ts @@ -23,6 +23,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + query_custom: updateQueryUsage({ + ruleType: 'query_custom', + usage, + detectionRuleMetric, + }), + }; + } } else if (detectionRuleMetric.rule_type === 'threshold') { updatedUsage = { ...usage, @@ -32,6 +43,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + threshold_custom: updateQueryUsage({ + ruleType: 'threshold_custom', + usage, + detectionRuleMetric, + }), + }; + } } else if (detectionRuleMetric.rule_type === 'eql') { updatedUsage = { ...usage, @@ -41,6 +63,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + eql_custom: updateQueryUsage({ + ruleType: 'eql_custom', + usage, + detectionRuleMetric, + }), + }; + } } else if (detectionRuleMetric.rule_type === 'machine_learning') { updatedUsage = { ...usage, @@ -50,6 +83,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + machine_learning_custom: updateQueryUsage({ + ruleType: 'machine_learning_custom', + usage, + detectionRuleMetric, + }), + }; + } } else if (detectionRuleMetric.rule_type === 'threat_match') { updatedUsage = { ...usage, @@ -59,6 +103,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + threat_match_custom: updateQueryUsage({ + ruleType: 'threat_match_custom', + usage, + detectionRuleMetric, + }), + }; + } } else if (detectionRuleMetric.rule_type === 'new_terms') { updatedUsage = { ...usage, @@ -68,6 +123,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + new_terms_custom: updateQueryUsage({ + ruleType: 'new_terms_custom', + usage, + detectionRuleMetric, + }), + }; + } } else if (detectionRuleMetric.rule_type === 'esql') { updatedUsage = { ...usage, @@ -77,6 +143,17 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + + if (!detectionRuleMetric.elastic_rule) { + updatedUsage = { + ...updatedUsage, + esql_custom: updateQueryUsage({ + ruleType: 'esql_custom', + usage, + detectionRuleMetric, + }), + }; + } } if (detectionRuleMetric.elastic_rule) { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules.ts index ebb040267951d..c5fe738857467 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules.ts @@ -109,6 +109,15 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + disabled: 1, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -142,6 +151,16 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -172,6 +191,11 @@ export default ({ getService }: FtrProviderContext) => { notifications_disabled: 1, disabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query, + notifications_disabled: 1, + disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, notifications_disabled: 1, @@ -200,6 +224,12 @@ export default ({ getService }: FtrProviderContext) => { alerts: 4, notifications_enabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -227,6 +257,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -255,6 +290,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -300,6 +341,13 @@ export default ({ getService }: FtrProviderContext) => { disabled: 3, legacy_investigation_fields: 2, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + alerts: 0, + enabled: 0, + disabled: 3, + legacy_investigation_fields: 2, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 0, @@ -334,6 +382,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, has_exceptions: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + disabled: 1, + has_exceptions: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -361,6 +414,14 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_disabled: 0, legacy_notifications_enabled: 0, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + disabled: 1, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -393,6 +454,16 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -423,6 +494,11 @@ export default ({ getService }: FtrProviderContext) => { notifications_disabled: 1, disabled: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + notifications_disabled: 1, + disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, notifications_disabled: 1, @@ -451,6 +527,12 @@ export default ({ getService }: FtrProviderContext) => { alerts: 4, notifications_enabled: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -477,6 +559,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -505,6 +592,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -541,6 +634,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, has_exceptions: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + disabled: 1, + has_exceptions: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -575,6 +673,15 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + disabled: 1, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -614,6 +721,16 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -650,6 +767,11 @@ export default ({ getService }: FtrProviderContext) => { notifications_disabled: 1, disabled: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + notifications_disabled: 1, + disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, notifications_disabled: 1, @@ -684,6 +806,12 @@ export default ({ getService }: FtrProviderContext) => { alerts: 4, notifications_enabled: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -716,6 +844,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -750,6 +883,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -786,6 +925,11 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, has_exceptions: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + enabled: 1, + has_exceptions: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -815,6 +959,16 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + disabled: 1, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -845,6 +999,16 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + enabled: 1, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -874,6 +1038,12 @@ export default ({ getService }: FtrProviderContext) => { notifications_disabled: 1, disabled: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + notifications_disabled: 1, + disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, notifications_disabled: 1, @@ -899,6 +1069,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, notifications_enabled: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + enabled: 1, + notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -924,6 +1100,12 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -949,6 +1131,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -980,6 +1168,12 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, has_exceptions: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + disabled: 1, + has_exceptions: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -1008,6 +1202,16 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + disabled: 1, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -1056,6 +1260,17 @@ export default ({ getService }: FtrProviderContext) => { legacy_notifications_enabled: 0, legacy_investigation_fields: 0, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_notifications_disabled: 0, + legacy_notifications_enabled: 0, + legacy_investigation_fields: 0, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -1086,6 +1301,12 @@ export default ({ getService }: FtrProviderContext) => { notifications_disabled: 1, disabled: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + notifications_disabled: 1, + disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, notifications_disabled: 1, @@ -1129,6 +1350,13 @@ export default ({ getService }: FtrProviderContext) => { alerts: 4, notifications_enabled: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + enabled: 1, + alerts: 4, + notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -1155,6 +1383,12 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -1198,6 +1432,13 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -1230,6 +1471,12 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, has_exceptions: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + disabled: 1, + has_exceptions: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules_legacy_action.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules_legacy_action.ts index da29fb320b140..20c83d08103f4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules_legacy_action.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/telemetry/trial_license_complete_tier/usage_collector/detection_rules_legacy_action.ts @@ -88,6 +88,12 @@ export default ({ getService }: FtrProviderContext) => { alerts: 4, notifications_enabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query, + enabled: 1, + alerts: 4, + notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -115,6 +121,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -143,6 +154,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + query_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.query, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -171,6 +188,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -199,6 +221,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + eql_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.eql_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -233,6 +261,11 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -267,6 +300,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + threshold_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.threshold_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4, @@ -296,6 +335,12 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -321,6 +366,12 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + machine_learning_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .machine_learning_custom, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, enabled: 1, @@ -348,6 +399,12 @@ export default ({ getService }: FtrProviderContext) => { disabled: 1, legacy_notifications_disabled: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + disabled: 1, + legacy_notifications_disabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, disabled: 1, @@ -391,6 +448,13 @@ export default ({ getService }: FtrProviderContext) => { enabled: 1, legacy_notifications_enabled: 1, }, + threat_match_custom: { + ...getInitialDetectionMetrics().detection_rules.detection_rule_usage + .threat_match_custom, + alerts: 4, + enabled: 1, + legacy_notifications_enabled: 1, + }, custom_total: { ...getInitialDetectionMetrics().detection_rules.detection_rule_usage.custom_total, alerts: 4,